Cybersecurity: A Tech Cornerstone for Government
September 27, 2021
Government organizations have devoted vast resources in the last few years to undergo a rapid digital transformation. This concerted effort was needed to address a growing technology debt that had left governments well behind the private sector. Due to the rapid pace and often piecemeal fashion of the implementation of new technologies, governments are now facing a cybersecurity debt.
Governments are collecting vast troves of data in order to provide more services, and to do so efficiently. The complexity of having data stored in various places, along with the amount of data in movement, creates vulnerabilities. Information is porous, and data processed in the cloud can be accessed. Cybersecurity in many cases has been an afterthought, causing organizations to patch up holes in the data infrastructure versus building a deliberate architecture.
This virtual roundtable convened government technology experts to share how they are developing their data architecture and upgrading their cybersecurity.
Howard Boville, Senior Vice President & Head of IBM Cloud Platform, IBM
Matt Davies, Acting Chief Technology Officer, Shared Services Canada
Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget, United States
Adam Ford, Chief Information Security Officer, State of Illinois
Andy Grayland, Chief Information Security Officer, Scottish Local Government
Robert Martin, Chief Information Security Officer, Alberta Health Services
Vitaliy Panych, Chief Information Security Officer, State of California
Karen Sorady, Chief Information Security Officer, State of New York
Gary Stevens, Deputy Chief Information Security Officer, Executive Director, Cybersecurity Policy and Strategy, U.S. Department of Veterans Affairs
Matthew Schettenhelm, Government Analyst, Bloomberg Intelligence
Click here to view the video of the full discussion.
Here’s what they had to say:
In his opening remarks, Howard Boville, Senior Vice President & Head of IBM Cloud Platform, IBM, outlined the key challenges in cybersecurity, both in the public and private sector. First, “the massive pairs and increased pairs of companies wanting to digitize their processes get access to more data and reach that data to get better insights.” Second, operational risks, which are “not well known and therefore have latent issues.” Finally, and for the public sector especially, compliance and regulations that protect citizens’ data, respectfully, are critical.
Gary Stevens, Deputy Chief Information Security Officer, Executive Director, Cybersecurity Policy and Strategy, U.S. Department of Veterans Affairs, told us about the VA’s cloud initiative as it relates to President Biden’s recent executive order on cybersecurity, which focuses on making the process more uniform across the public and private sectors. We need to “ensure that we are managing this holistically, comprehensively, that we have defined policies that we’re able to internally manage within the VA space. We also need to ensure that the cloud environment is aligned with that, so it’s a holistic implementation of our security requirements. And to do that, it’s all also about risk. The risk management framework that we’ve implemented and that we comply with and use on a routine basis helps us understand what is the level of risks that we are accepting. And then, we ensure that the leadership is aware of that. The veteran deserves it – we want to ensure that their data is a hundred percent protected.”
Karen Sorady, Chief Information Security Officer, State of New York, shared insights from New York’s digital transformation. “Cybersecurity needs to be considered early on in your planning. The new threat environment is increasing the maturity of our agencies that are starting to engage security early, which is important. But there’s that give and take between the security requirements and the business requirements. We saw that a lot during the pandemic. There was a great rush to put out services and put them out quickly, which the cloud was fantastic for because of its ability to scale up and scale down, but it’s necessary to help the business understand that there are security risks and make sure that they’re considering that early on. [Jt1] So it really becomes like a partnership.”
Elaborating on approaching security at the local level, Adam Ford, Chief Information Security Officer, State of Illinois, shared insights on how U.S states can approach cloud transformations: “This is a real opportunity for states to learn lessons from the past and not repeat mistakes. Fundamentally, information security is about knowing where our assets are, where our data is, and who should or shouldn’t have access to that data. The cloud offers tremendous tools for us to be able to meet those needs, but it has to be done in a consistent fashion. We’re pretty bullish on the cloud here, but certainly want to make sure, and so thus far have kept security at the forefront.”
The job of unification is sizable in larger states that are working with wide populations. For instance, in California there are 140 different state agencies. Vitaliy Panych, Chief Information Security Officer, State of California, discussed their strategy on identity and access management, where the state has “doubled down” on centralization. “To create a single sign-on solution. It’s essential for the state of California to create a privacy-preserving mechanism as we roll out and deploy a zero-trust model.” This model extends to how the state conducts privacy controls for consent management and identity proofing. “Instead of conducting certain security controls independently down within our agencies, we’re looking at our opportunities to unify and do it once, but do it right at a statewide level starting from identity-proofing solutions to really benefit some of the privacy issues and challenges we’ve all been having.”
Expanding on cyber solutions in the federal government, we heard from Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget, United States. DeRusha stated that their main focus would be twofold. First, advancing zero trust, which is a challenge because most of the federal government still uses legacy IT systems. “We’re going to organize the federal government across identity, devices, network applications, data around the cross-cutting areas of visibility, analytics, orchestration, automation and governance. We’re going to define and set some clear three-year targets for all of the hundred-plus federal civilian agencies that we’re trying to work with. It’s going to be hard. And we’re going to need to share lessons and learnings across the government to do that. This isn’t a tool issue. That’s why we went out to public comment for our strategy, because we really understand that this is a new journey for everyone and we want to make sure that we have the right plan.” Second, they plan to move away from attested security and toward test security approaches.
No matter how robust the public sector operates, there is always going to be an issue of decentralization. That’s why Andy Grayland, Chief Information Security Officer, Scottish Local Government, offered insights on how local and federal governments can work alongside each other to rectify gaps. “We are currently developing a cyber response team where we can have a number of specialists across the public sector on standby in case of an attack within any given public sector organization. So, whilst each public sector organization is usually under-resourced in terms of security and network specialists collectively, we actually have a great deal of knowledge across the whole of the public sector. When an incident occurs, those experts would be drafted in from other public sector organizations to assess the rapid recovery of that individual organization.” He added, “We’re only at the very early stages of working on what this would look like, so if anyone has seen anything like that operating anywhere else, I’d be very happy to hear from you.”
Robert Martin, Chief Information Security Officer, Alberta Health Services, discussed what that sort of unification looks like in Canada. “[In Alberta,] when we came together as an organization, we all of a sudden had critical mass. We had the ability to work together, and not just work on piecemeal projects. We’ve got to be able to work on everything at the same time. That’s the model that we need to have going forward so we can work with all of our other partners and be much better. Working with the Canadian Center for Cybersecurity to help us with the continuous monitoring – that critical mass is very important.”
The prerequisite to successful collaboration is talent. Matt Davies, Acting Chief Technology Officer, Shared Services Canada, shared the value of this: “When it comes to cloud skills, you need to have the right talent to support the journey to the cloud and make your environment more secure. Attracting, developing and retaining resources is an absolutely critical part of our cybersecurity program.” Specifically, Davies said that security awareness training is paramount, especially since the shift to remote work, where people are accessing most of their information off-premises.
This Bloomberg Roundtable was Proudly Sponsored By